Forum Discussion

zeropixel_23561's avatar
zeropixel_23561
Icon for Nimbostratus rankNimbostratus
Dec 22, 2015

troubleshooting techniques on ASM security policies (PLEASE ADVISE)

I configured the virtual server and pool for the application to go through F5 LTM. I tweaked the protocol profile and http profile, and I am able to browse the application and working fine.

 

However, after I create the application security policy (automatic and transparent mode) and set the policies with the virtual server, I am unable to get the response back when I browse the application. I am setting as transparent mode so I don't know why it will impact it. Any suggestions on how I can troubleshoot this?

 

Thanks so much for any advices!!

 

ASM Advanced WAF
LTM
security

6 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Dec 22, 2015

    I'd ensure you have a logging profile on the virtual server and log both legal and illegal events. This might give u an idea.

     

    If not a packet capture may help.

     

    N

     

  • zeropixel_23561's avatar
    zeropixel_23561
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2015

    I wonder if there are any header and limitations on ASM side? I saw whole bunch of http and protocol profiles on LTM side.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Dec 23, 2015
      Perhaps httpfox or fiddler will help see what headers are in use with and without ASM enabled. By default ASM removes the Server header back to the client, for information disclosure reasons. It can be added back and there is an askf5 solution on it
    • zeropixel_23561's avatar
      zeropixel_23561
      Icon for Nimbostratus rankNimbostratus
      Dec 23, 2015
      It is new to me that ASM remove the server header. How can I disable this setting? I think that can be the reason.
  • zeropixel_23561's avatar
    zeropixel_23561
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2015

    Hi Nathan, so ASM remove the server header before sending back to the client. Is there a way I can disable this setting? I think the client is checking if the server headers are there.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Dec 23, 2015
      Yes. See https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14342